Well, I've been lurking on this site for a while now and figured it was about time to register myself on the forum.

Who am I: I am a 22 year old college student who is going after a BBA in Information Systems while at the same time pursing an AAS in Information Security. Unlike most people, my interest in Infosec didn't start until a year ago and have found myself trying to play catch up with the rest of the industry ever since.

Current Goals: Right now, my current goal is to set up a laptop pen testing lab where i can toy with programs without fear of screwing up my gaming PC (After i get my laptop, I'll see about converting my gaming PC into a GPU powered password cracking machine). During this time, I'm trying to learn the basics of Ruby, Python, and Javascript (in that order) along with the basics of TCP/IP and Hacking platforms such as Metasploit.

Beyond that, I'll see about adding more stuff to my pen testing lab beyond just the laptop with VMs. Thomas Wilhelm's Rant opened my eyes a bit and i found myself agree with him that i invest more in my lab if i want to get more out of it.

Specialization: Ideally, i want to go into Pen Testing but Computer Forensics has also sparked my interest along with Malware Analyzing so it depends if my interests involve fishing for files that no one wants to see (but it's your job to find) or to be building exploits.

Future Possible Projects: Lately, I've been looking a the Prey anti-thief software. Now, this program is all great and good but the problem is that a thief could steal a computer, reformat the hard drive and you lose your tracking. I've been toying with the idea of combining a rootkit into the BIOs of the computer so if the hard drive gets wiped, you can still track them. Any ideas or resources that can help me with this would be appreciated.

Now on to the cert path:

My AAS degree has aligned it's self with the CompTIA certs (A+,Network+,Security+) along with some basic Cisco knowlage (the CCNA is offered at this school but it is in a different program so I'll have to pick that up later) so it should give me the basic knowledge for the more advanced certs.

beyond that, I'm stuck at a bit of a crossroads.I've heard mixed results about the C|EH (it's a cert that HR wants but most infosec people dismiss it). likewise, i've heard good things about the eCCPT (provides lots of actual experience but HR doesn't like it).

Regardless of the middle level certifications, I eventually want to obtain the OSCP and proceed to get a CISSP shortly after.

So anyways, there's my story and hope to see you around the forums.

Last edited by Shock on Sat Feb 25, 2012 5:45 pm, edited 1 time in total.

Sounds like you have a lot of good plans, and that you're on the right track, but I have to say that BIOS is spelled like this (No offense intended.)

About the certs, CEH will only give you a broad foundation that will teach you the very basics, but it won't make you a real hacker, and eCPPT is fine, but as other's have said: It's very "web application based", and the content of this section in particular, is also basic.

OSCP on the other hand, is good and also hard, but it's a good one to accomplish. Especially because more and more employers, value this cert higher than CEH, so if you have OSCP you may be able to get some jobs easier.

CISSP requires working experience within InfoSec, so you can only become an associate if you don't have the necessary experience. You may wonder why there is such a requirement? Well some might think it's to document that you've actually worked with InfoSec, but your CV / Resumé and references can provide that.

Once a young person, at the age of ~14 passed the CISSP test, so you can imagine that they had to make some sort of requirement so anyone couldn't just obtain CISSP, even though they would have the knowledge to pass the test. CISSP is very good to have for HR purposes, and perhaps as a manager if you're not really doing pentesting.

Sounds like you have a lot of good plans, and that you're on the right track, but I have to say that BIOS is spelled like this (No offense intended.)

None taken.

MaXe wrote:About the certs, CEH will only give you a broad foundation that will teach you the very basics, but it won't make you a real hacker, and eCPPT is fine, but as other's have said: It's very "web application based", and the content of this section in particular, is also basic.

Well, basic is good and we all have to start from somewhere. From what i've heard, the industry as a whole is moving more towards web apps everyday so that will really come in useful.

MaXe wrote:OSCP on the other hand, is good and also hard, but it's a good one to accomplish. Especially because more and more employers, value this cert higher than CEH, so if you have OSCP you may be able to get some jobs easier.

Oh yes. I was toying with the idea of getting the C|EH so it could look pretty on the resume and get my foot in the door for a low infosec job and once there, allow me to beg my new employer about taking shots at the better certs. then i will feel more conferable after 5-6 months of actual infosec experience to take the OSCP.

btw, do you have any book recommendations for the OSCP.

MaXe wrote:CISSP requires working experience within InfoSec, so you can only become an associate if you don't have the necessary experience. You may wonder why there is such a requirement? Well some might think it's to document that you've actually worked with InfoSec, but your CV / Resumé and references can provide that.

Once a young person, at the age of ~14 passed the CISSP test, so you can imagine that they had to make some sort of requirement so anyone couldn't just obtain CISSP, even though they would have the knowledge to pass the test. CISSP is very good to have for HR purposes, and perhaps as a manager if you're not really doing pentesting.

Not to be cynical (and i may be wrong on this) but i keep hearing in my local DefCon group that either pen testers go on to be managers or eventually fall prey of the "being too old and outdated" mentality. Is this true or am i just hearing things?

MaXe wrote:OSCP on the other hand, is good and also hard, but it's a good one to accomplish. Especially because more and more employers, value this cert higher than CEH, so if you have OSCP you may be able to get some jobs easier.

Oh yes. I was toying with the idea of getting the C|EH so it could look pretty on the resume and get my foot in the door for a low infosec job and once there, allow me to beg my new employer about taking shots at the better certs. then i will feel more conferable after 5-6 months of actual infosec experience to take the OSCP.

btw, do you have any book recommendations for the OSCP.

Well, it's hard for me to say, as I took OSCE as the first infosec course and cert I had ever done, and at that time, the only book I had read was The Penetration Testers Open Source Toolkit vol. 2 (that won't prepare you for OSCP, but it gives you a lot of useful practical information). I do however suggest you read some of the threads in the OSCP section here, as there's a lot of good advice, even how people managed to pass (Not actual solutions.)

Shock wrote:

MaXe wrote:CISSP requires working experience within InfoSec, so you can only become an associate if you don't have the necessary experience. You may wonder why there is such a requirement? Well some might think it's to document that you've actually worked with InfoSec, but your CV / Resumé and references can provide that.

Once a young person, at the age of ~14 passed the CISSP test, so you can imagine that they had to make some sort of requirement so anyone couldn't just obtain CISSP, even though they would have the knowledge to pass the test. CISSP is very good to have for HR purposes, and perhaps as a manager if you're not really doing pentesting.

Not to be cynical (and i may be wrong on this) but i keep hearing in my local DefCon group that either pen testers go on to be managers or eventually fall prey of the "being too old and outdated" mentality. Is this true or am i just hearing things?

It happens to some, and yes it is easy to fall behind, so at some point it may be reasonable to become e.g., a manager if you want to become that of course. A manager that may not be 100% up to date, but have practical experience ranging over decades is definitely worth having / being.

I should note however, that XSS is like at least 10 years old, and it still exists on many websites. SQL Injection, and buffer overflows too, and if you're a good programmer or reverse engineer able to find 0days, then it may almost become impossible to become outdated.

Of course, new exploitation techniques are occasionally developed, where you may have to learn how these function, but if you were e.g., a pentester that only use automatic and semi-automatic tools, then it's almost impossible to become outdated too. (After all, the tools are updated for you.)

But there's definitely some areas where anyone can fall behind, and with the ever growing technology, you never know what's going on in like 20 or 30 years

OP, you should spend some time reading the other "How do I break into the security industry?" threads. Personally, I think you're selling yourself short if you try to go right into security and don't spend some time doing systems and/or networking administration/engineering. You miss out on a lot of perspective if you only know how to break into something, as opposed to also knowing how to configure and support those technologies in an enterprise environment. You'll also have an easier time landing a job in general.

As far as certs go, keep in mind that you'll likely have to impress different people along the way to earning a job offer. CEH and CISSP may help you get an interview setup from HR, but your technical interviewer may be more impressed with your OSCP. It's not one-or-the-other. Also, clients sometimes require security consults that work on their network to have a CISSP, CISM, etc. Even though those type of certs aren't directly applicable to pen testers, forensic specialists, malware analysts, etc., there are undoubtedly benefits to having them. Recruiters love them too.

Finally, you should really determine what you want to specialize on. You can always change your mind at any time, but you're going to spread yourself pretty thin if you try to focus on pen testing, malware analysis, and forensics all at once. There's undoubtedly a lot of overlap, but each has an enormous amount of unique tools, techniques, and technology-specific information.

ajohnson wrote:OP, you should spend some time reading the other "How do I break into the security industry?" threads. Personally, I think you're selling yourself short if you try to go right into security and don't spend some time doing systems and/or networking administration/engineering. You miss out on a lot of perspective if you only know how to break into something, as opposed to also knowing how to configure and support those technologies in an enterprise environment. You'll also have an easier time landing a job in general.

True and I'm currently looking to ways to get deal with that issue. Currently, I don't have the experience and thus, i have a feeling that i will be relegated to *shudder* the tier 1 help desk sinkhole and thus will get no experience that i can put on a resume for possibility years.

I actually spent my lunch hour watching that and while it's content is good, it mostly geared towards professionals already in the field (SysAdmins, Network Engineers, etc) and want to make the leap into Infosec. there is sadly little use for a college student working on certs.

ajohnson wrote:As far as certs go, keep in mind that you'll likely have to impress different people along the way to earning a job offer. CEH and CISSP may help you get an interview setup from HR, but your technical interviewer may be more impressed with your OSCP. It's not one-or-the-other. Also, clients sometimes require security consults that work on their network to have a CISSP, CISM, etc. Even though those type of certs aren't directly applicable to pen testers, forensic specialists, malware analysts, etc., there are undoubtedly benefits to having them. Recruiters love them too.

I understand that it's not one or the other, but as a student starting off, i need to make choices regarding my resources (chiefly, time and money) and need to see what will get me the most bang for the buck in the immediate future (which is why I'm looking at the eCPPT and OSCP over the C|EH).

ajohnson wrote:Finally, you should really determine what you want to specialize on. You can always change your mind at any time, but you're going to spread yourself pretty thin if you try to focus on pen testing, malware analysis, and forensics all at once. There's undoubtedly a lot of overlap, but each has an enormous amount of unique tools, techniques, and technology-specific information.

yes, i know. Like i said, I'm still intensely curious about all the different tools, techniques, and schools of Infosec so I'll settle down in something fairly soon.

Thanks for the input.

Last edited by Shock on Sun Feb 26, 2012 8:46 pm, edited 1 time in total.

Shock wrote:True and I'm currently looking to ways to get deal with that issue. Currently, I don't have the experience and thus, i have a feeling that i will be relegated to *shudder* the tier 1 help desk sinkhole and thus will get no experience that i can put on a resume for possibility years.

Even though it's not infosec relevant work at the help desk, you do learn about e.g., soft skills, solving problems efficiently, information gathering (if you're good), and on occasion you may be lucky to deal with minor security issues.

Some help desk jobs, may give you the opportunity to go back-office, project work within infosec (that's very rare), or for that sake free certifications like CCNA, MCSE, etc.

You may also obtain knowledge about the supported products, that only the tech support and the developers knows about, that can give you material for security research.

In essence, it does feel like a complete waste of time, and dealing with angry customers is not fun either, but at least you get to try that too, where you will learn to improve your patience and e.g., make them feel better, which is close to social engineering / psychology.

I've worked within the helpdesk environment for 2½ years so far, as I had trouble landing a sys-admin job when I finished my education, so I took the easy path of going into helpdesk, which puts "some" experience on your CV, but it's a start and you do learn to deal with people.

It's not the best job in the world, but it's a start even though it's small.

Also, it may seem crazy applying for a job if you only have tech support experience, but if you have e.g., some good certifications, and you can pass the technical interview, then you have a good chance.

I've basically used tech support as a filler on my CV so far, while occasionally working freelance. Until recently (end of last year) I finally got a contract for a future >infosec< job, where I'm in the process of acquiring a visa.

Shock wrote:I understand that it's not one or the other, but as a student starting off, i need to make choices regarding my resources (chiefly, time and money) and need to see what will get me the most bang for the buck in the immediate future (which is why I'm looking at the eCPPT and OSCP over the C|EH).

If I were you, I would do what I can to build good PR around my name, get the OSCP certification, and apply for Junior Penetration Tester positions. If you can pass the technical interviews, and perhaps even intrigue them, then you have a good chance of getting employed within infosec that way.

Of course, it does take skill and you have to really be able to prove you're good, by e.g., sharing your research, custom tools, CVE's, etc.